Since June 1, 2016, Apple stipulated that all apps submitted to the App Store must be compatible with the IPv6-only standard. Currently, a significantly large number of Internet resources and users utilize the IPv6 protocol. Therefore, the Internet services that do not support IPv6 may lose a large number of users.
At the end of 2017, the General Office of the CPC Central Committee and the General Office of the State Council issued the "Action Plan for Promoting the Scale Deployment of IPv6", requiring the number of active IPv6 users to reach 200 million by the end of 2018, and requiring the top 50 commercial websites and apps with the largest number of users in China to support IPv6. IPv6 had become a national strategy.
With the advent of IPv6, attacks under IPv6 networks began to emerge.
At the beginning of 2018, Neustar announced that it was attacked by IPv6 distributed denial of service (DDoS). It was the first publicly reported IPv6 DDoS attack. Subsequently, IPv6 DDoS attack tools, such as thc-ipv6 and hping, also emerged on the Internet.
In November 2018, Taobao and Youku ran IPv6 during the Double 11 Shopping Festival for the first time. Alibaba Cloud Security built the first IPv6 DDoS defense system in China, which supports second-level monitoring and massive IP address defense, providing IPv4+IPv6 dual-stack automatic DDoS protection for the cloud services of Taobao and Youku.
During the Double 11 Shopping Festival, the dual-stack defense system intercepted more than 5,000 DDoS attacks, with maximum attack traffic of 397 Gbit/s.
Although the defense system under IPv4 is mature, it cannot be directly used for IPv6 protection. Instead, it must be completely redeveloped to support IPv6. It must be re-adapted to the new network environment of IPv6 in terms of traffic monitoring, scheduling, scrubbing, and black holes. The new features of the IPv6 protocol may be exploited by hackers to launch DDoS or denial of service (DoS) attacks.
This is because in IPv6:
IPv6 provides massive IP addresses, allowing an Internet Data Center (IDC) to apply for many available CIDR blocks. In this situation, defense algorithms that rely on requests-based throttling of source IP addresses no longer work.
It is more difficult to prevent application-layer DDoS attacks, such as HTTP flooding, malicious ticket brushing, and crawlers. Hackers may intrude into Internet-connected smart devices, such as self-driving vehicles, Internet of Things (IoT) devices, and mobile terminals, and turn them into zombies for launching DDoS attacks. This may result in massive attack packets.
DDoS attacks are usually for commercial interests. According to the cybersecurity report for the first half of 2018 released by Alibaba Cloud, DDoS attacks often aim at highly competitive fields such as games, mobile apps, and e-commerce.
As enterprises migrate their services to IPv6, DDoS attacks under IPv6 may be effective and easy initially because many enterprises are not ready to defend against IPv6 DDoS attacks.
In such a situation, IPv6 DDoS attacks may spread and become a pain point for many enterprises.
Let's take a look at some new challenges and changes concerning the IPv6.
Alibaba Cloud implements IPv6 security in the following aspects.
1. Redevelop Systems to Support IPv4+IPv6 Dual-stack Automatic DDoS Protection
a. Traffic Monitoring and Alert System
The traffic monitoring and alert system must support IPv6 and IPv4 and monitor dual-stack traffic. To detect massive IPv6 IP addresses, Alibaba Cloud DDoS Protection uses a distributed cluster architecture to distribute traffic to clusters for collaborative computing, and collects statistics on traffic metrics to detect abnormal traffic in seconds.
b. Scheduling System
The scheduling system is upgraded to support dual-stack, automatically determine the IP address type, and enable the appropriate defense mode and traffic scrubbing algorithm.
c. Traffic Scrubbing System
Alibaba Cloud redesigns and deploys the traffic redirection, reinjection, and scrubbing systems, and develops an IPv6-specific traffic scrubbing algorithm.
2. Provide Carrier-Level Black Hole Capability
Bandwidth congestion occurs when massive attack traffic is initiated by an IPv4 or IPv6 address. All the services of an IDC or a cloud service provider may become unavailable due to an attack aimed at a single IP address. This is a disastrous situation. Compared with IPv4, IPv6 networks are exposed to a higher threat of attack-caused bandwidth congestion at the early stage of bandwidth development. Alibaba Cloud and major Internet service providers (ISPs) establish an IPv6 black hole linkage capability to discard traffic that exceeds the black hole threshold on carriers' IPv6 backbone networks and provide a secure cloud environment.
3. Upgrade the Protection Mode
a. Prefix-Level Defense Algorithm
The massive IP addresses that may be requested by an IDC belong to a limited number of CIDR blocks. Even though an attacker can exploit massive IP addresses, the zombie IP addresses in the same IDC are relatively concentrated in certain CIDR blocks. An effective measure to mitigate the impact of massive IPv6 addresses is collecting analytical statistics on CIDR blocks.
b. Collaborative Defense
For traditional IDCs and independent security devices, it is difficult to determine whether the traffic from an IP address is an attack or normal access and whether the IP address is subjected to network address translation (NAT) or located at a campus egress if most metrics of this IP address are normal. This further reduces the possibility of identifying attacks that exploit massive IPv6 addresses. However, for cost and efficiency considerations, attackers tend to use one IP address to attack more than one victim. For example, the IP address in the format X.X.X.X may be used to launch a challenge collapsar (CC) attack against Server B after launching a DDoS attack against Server A.
Under the scale effect, Alibaba Cloud simultaneously protects massive IP addresses and analyzes all scrubbed data online. This helps identify attacks based on the behavior of a single IP address and allow all tenants to collaborate in their defense and share threat intelligence.
c. Intelligent, Deep Defense
It is difficult to prevent application-layer DDoS attacks through throttling. Under IPv6, an attacker can obtain 10,000 IP addresses at a low cost and initiate one request from every IP address per second to destroy a website even though when website supports 10,000 queries per second (QPS). Therefore, IPv6 application-layer DDoS attacks must be prevented by advanced bot identification technologies and countermeasures. Alibaba Cloud applies a series of bot countermeasures to web application firewalls (WAFs).
It is recommended that ISPs build IPv6 services by using cloud services, instead of using the costly method to redevelop and upgrade systems to support IPv6.
Currently, many Alibaba Cloud products support IPv6 and provide IPv6 DDoS protection in terms of software as a service (SaaS), helping enterprises build higher levels of defense capabilities in 1 second.
Decoding the AI Defense System Behind Alibaba Cloud Web Application Firewall (WAF)
32 posts | 15 followers
FollowAlibaba Clouder - December 23, 2020
Alibaba Clouder - March 22, 2021
Alibaba Cloud New Products - June 3, 2020
Alibaba Clouder - January 22, 2020
Alibaba Clouder - July 16, 2021
Alibaba Clouder - January 20, 2021
32 posts | 15 followers
FollowA comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks, and mitigate potential security threats.
Learn MoreGet started on cloud with $1. Start your cloud innovation journey here and now.
Learn MoreA cloud-based security service that protects your data and application from DDoS attacks
Learn MoreMore Posts by Alibaba Cloud Security